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Abstract. We present probabilistic algorithms which, given a genus 2 curve 
C defined over a finite field and a quartic CM field K, determine whether the 
endomorphism ring of the Jacobian J of C is the full ring of integers in K. In 
particular, we present algorithms for computing the field of definition of, and 
the action of Frobenius on, the subgroups J[i ] for prime powers i d . We use 
these algorithms to create the first implementation of Eisentrager and Lauter's 
algorithm for computing Igusa class polynomials via the Chinese Remainder 
Theorem |ELI . and we demonstrate the algorithm for a few small examples. We 
observe that in practice the running time of the CRT algorithm is dominated 
not by the endomorphism ring computation but rather by the need to compute 
p 3 curves for many small primes p. 



1. Introduction 

Many public-key cryptographic protocols are based on the difficulty of the dis- 
crete logarithm problem in groups of points on elliptic curves and Jacobians of 
hyperelliptic curves. For such protocols one needs to work in a subgroup of large 
prime order of the Jacobian of the curve, so it is useful to be able to construct 
curves over finite fields whose Jacobians have a specified number of points. 

The problem of constructing elliptic curves over finite fields with a given number 
of points has been studied extensively. Current solutions rely on computing the 
j-invariant via the construction of the Hilbert class polynomial for a quadratic 
imaginary field. There are three different approaches to computing the Hilbert 
class polynomial: a complex-analytic algorithm [AM] . |Eng| ; a Chinese Remainder 
Theorem algorithm [CNSTj . [AT?] ; and a p-adic algorithm [CH], [Bro]. The best 
running time for these algorithms is 0(|d|), where d is the discriminant of the 
quadratic imaginary field Eng], [Broj . 

Analogous methods exist for constructing genus 2 curves with a given number of 
points on their Jacobians. In this case, the solutions rely on computing the curves' 
Igusa invariants via the computation of Igusa class polynomials for quartic CM 
fields. Again there are three different approaches: a complex-analytic algorithm 
|Spa| , |vWj , [W] , |CL| ; a Chinese Remainder Theorem algorithm [EL] ; and a p-adic 
algorithm [GHKRWJ. These algorithms are less extensively developed than their 
elliptic curve analogues, and to date there is no running time analysis for any of 
them. 

In this paper we study the implementation of Eisentrager and Lauter's Chinese 
Remainder Theorem algorithm [EL] , The algorithm takes as input a primitive 
quartic CM field K , i.e. a purely imaginary quadratic extension of a real quadratic 
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field with no proper imaginary quadratic subfields, and produces the Igusa class 
polynomials of K. The basic outline of the algorithm is as follows: 

(1) Define S to be a set of primes with certain splitting behavior in the field 
K and its reflex field K* . 

(2) For each prime p in S: 

(a) For each triple (ii, i%) G F 3 of Igusa invariants, construct a genus 2 
curve C over F p corresponding to that triple. 

(b) Check the isogeny class of each curve. For each curve in the desired 
isogeny class, compute the endomorphism ring of the Jacobian of the 
curve and keep only those curves for which the endomorphism ring is 
the full ring of integers Ok- 

(c) Construct the Igusa class polynomials mod p from the triples collected 
in Step EH 

(3) Use the Chinese Remainder Theorem or the Explicit CRT |Berj to construct 
the Igusa polynomials cither with rational coefficients or modulo a prime 
of cryptographic size. 

One advantage of the CRT algorithm over other algorithms for computing Igusa 
class polynomials is that the CRT algorithm does not require that the real quadratic 
subfield have class number one. 

Our contribution is to provide an efficient probabilistic algorithm for computing 
endomorphism rings of Jacobians of genus 2 curves over small prime fields. Using 
this algorithm to compute endomorphism rings, we have implemented a proba- 
bilistic version of the full Eisentrager-Lauter CRT algorithm (Algorithm 17. ip in 
MAGMA and used it to compute Igusa class polynomials for several fields K with 
small discriminant. 

It was previously believed that computing endomorphism rings would be the 
bottleneck in the genus 2 CRT algorithm. Our results are surprising in the sense 
that we find that the time taken to compute the endomorphism rings with our 
probabilistic algorithms is negligible compared with the time needed to compute 
p 3 genus 2 curves via Mestre's algorithm for each small prime p. For example, for 
K = Q(z v / 13 + 2v / 13) and p = 157, the largest prime for which endomorphism 
rings are computed for this K, our (unoptimized) MAGMA program takes about 
52 minutes to loop through 157 3 curves and find 243 curves in the specified isogeny 
class. Our probabilistic algorithm (also implemented in MAGMA) applied to these 
243 curves then takes 16.5 seconds to find the single curve whose Jacobian has 
endomorphism ring equal to Ok- 

The algorithm works as follows. Let C be a genus 2 curve over a finite field 
F p , and let J be its Jacobian; we assume J is ordinary. Let K be a primitive 
quartic CM field, which we assume is given via an embedding in C. The first 
test is whether End(J), the endomorphism ring of J, is an order in Ok- This 
computation is outlined in |EL( Section 5] and described in more detail in Section 
[2] below. If End(J) is an order in Ok, we compute a set of possible elements 
7r £ Ok that could represent the Frobenius endomorphism of J. If ir represents the 
Frobenius endomorphism, then its complex conjugate 7f represents the Verschiebung 
endomorphism . 

We next determine a set {cti} of elements of Ok such that Z[n, n, {c^}] = Ok- 
It follows that End(J) = Ok if and only if each cti is an endomorphism of J. 
We show in Section [3] that we can take each a, to have one of two forms: either 
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oti = - £ for some positive integer k and prime £, or on — -jt^ for some cubic 
polynomial hi with integer coefficients and some prime power £ d . In Section 3] we 
show how to determine whether an element of the first form is an endomorphism; 
this is equivalent to determining the field of definition of the £-torsion points of J. 
In Section [5] we show how to determine whether an element of the second form is an 
endomorphism; this is equivalent to computing the action of Frobenius on a basis of 
J[£ d }. The main results are Algorithms 14.31 and 1 5 . 1 [ two very efficient probabilistic 
algorithms which check fields of definition and compute the action of Frobenius, 
respectively. The running times of these algorithms depend primarily on the sizes 
of the fields over which the points of J[£ d ] are defined. Section [5] provides upper 
bounds for these sizes in terms of the prime £ and the size of the base field p. 

A detailed statement of the Eisentrager-Lauter CRT algorithm, incorporating 
the algorithms of Sections [21 ffl and appears in Section [7j Section [8] describes 
various ways in which we have modified our MAGMA implementation to improve 
the algorithm's performance. Finally, in Section[5]we give examples of our algorithm 
run on several small quartic CM fields. 

Notation and assumptions. Throughout this paper, a curve will refer to a 
smooth, projective, absolutely irreducible algebraic curve C. The Jacobian of C, 
denoted Jac(C), is an abelian variety of dimension g, where g is the genus of C. 
We assume throughout that p is a prime, and that Jac(C) is an ordinary abelian 
variety modulo p. 

A number field if is a CM field if it is a totally imaginary quadratic extension 
of a totally real field. We denote by K* the reflex field of K, and by Kq the real 
quadratic subfield of K. A CM field is primitive if it has no proper CM subficlds. 
We will assume unless otherwise noted that if is a primitive quartic CM field not 
isomorphic to Q(Cs)- This implies that K is either Galois cyclic or non-Galois. If 
K is Galois cyclic, then K* = K; if K is non-Galois, then K* is another primitive 
quartic CM field |Shi| p. 64]. A curve C has CM by K if the endomorphism ring 
of Jac(C) is isomorphic to an order in Ok, the ring of integers of the CM field K. 

Acknowledgments. This research was conducted during the first author's intern- 
ship at Microsoft Research, Redmond, during the summer of 2006. The first author 
thanks Microsoft for its hospitality and Denis Charles, Jean-Marc Couveignes, and 
Edward Schaefer for many helpful discussions. The second author thanks Pierrick 
Gaudry for helpful correspondence and pointers to his code. Both authors thank 
Reinier Broker, David Kohel, and Christophe Ritzenthaler for their feedback on 
previous versions of this paper. 

2. Computing zeta functions and the Frobenius element 

To determine whether the Jacobian J of a given genus 2 curve C has endomor- 
phism ring equal to Ok, the first step is to determine whether the endomorphism 
ring is even an order in Ok- This is accomplished by computing the characteristic 
polynomial of Frobenius, to see if the Frobenius element corresponds to an alge- 
braic integer of K. This in turn is equivalent to determining the zeta function of 
C, which can be computed by finding the number of points on the curve and its 
Jacobian, n = #C(F P ) and m = =#=J(F P ). For a given field K there are several 
possibilities for the pairs (n, m), as described in [ELj. Prop. 4]. 
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In this section we give an explicit algorithm that determines whether End(J) 
is an order in Ok and if so, gives a set S C Ok of possibilities for the Frobenius 
endomorphism of J. The main point is to find the possible Frobenius elements by 
finding generators of certain principal ideals (Step [2]) with absolute value equal to 
y/p (Step Ha}. 

Algorithm 2.1. Let if be a primitive quartic CM field and K* the reflex of K. 
The following algorithm takes as input the field if, a prime p that splits completely 
in if and splits completely into principal ideals in if*, and a curve C defined over 
the finite field F p . The algorithm returns true or false according to whether 
End(J) is an order in Ok, where J = Jac(C). If the answer is true, the algorithm 
also outputs a set S C Ok that consists of the Aut(if/Q)-orbit of the Frobenius 
endomorphism of J. 

(1) Compute the decomposition p = pip 2 p3p4 in Ok, using e.g. Coh, Alg. 
6.2.9]. Renumber so that p 2 = pi and p3 = pi. 

(2) Compute generators a\ and a 2 for the principal ideals pip3 and P2P3, re- 
spectively, using e.g. |Cohl Alg. 6.5.10]. 

(3) Compute a fundamental unit u of Kq with \u\ > 1, using e.g. |Coh[ Alg. 
5.7.1]. 

(4) For i <— 1, 2, do the following: 

(a) If \a.i\ < yfp, set cti <— a>iii until |aj| = ^fp. If |q£»| > yfp, set a* <— 
ctiU^ 1 until | Oi| = y/p- 

(b) Compute the characteristic polynomial hi(x) of on, using e.g. |Coh| 
Prop. 4.3.4]. 

(c) If if is Galois and hi(x) = li2(—x), set a 2 <— — a 2 and h,2(x) *— 
h 2 {-x). 

(d) Set (n l!+ i,m,. + i) «- (p + 1 - ^121, fn(l)). Set (n^.-i, rm-i) <- (p + 

(5) Determine whether the Frobenius endomorphism of J has characteristic 
polynomial equal to hi(±x) for some i: 

(a) Choose a random point P 6 J(^p) and compute Q JjT = [rrii. T }P for 
i 6 {1,2}, r € {±1}- If none of Qi :T is the identity, return false. 
Otherwise, optionally repeat with another random point P. 

(b) If J passes a certain fixed number of trials of StepEaJ compute #C(F p ). 
If #C(F p ) ^ n iiT for all i € {1, 2}, t € {±1}, return false. 

(c) If #C(F P ) = rii. T , compute #J(F P ), using e.g. Baby Step Giant Step 
[Coh} Alg 5.4.1]. If #J mi^ T for the same z,r, return false. 

(6) If if is Galois, output S = {rai, toT, ra2, Tai}. If if is not Galois, output 
5 = {rai, Tut}, using the i determined in Step|5cl 

(7) Return true. 

Proof. The proof of [EL|. Prop. 4] shows that the ideals pip3 and p 2 p3 are principal 
and the Frobenius endomorphism of J corresponds to a generator of one of these 
ideals or their complex conjugates. Furthermore, this generator must have complex 
absolute value yfp. The generators determined in Step [5] are unique up to unit 
multiple, so Step [4a] ensures that the absolute values are y/p, thus making each cti 
unique up to complex conjugation and sign. 

If the Frobenius element corresponds to on or al, then hi{x) is the character- 
istic polynomial of Frobenius, so we can determine this case by checking whether 
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^C(Fp) = and #J(F P ) = m^+i. Similarly, if the Frobenius element cor- 

responds to —at or —57, then hi(—x) is the characteristic polynomial of Frobe- 
nius, so we can determine this case by checking whether #C(F p ) = rii._i and 
#J(F P ) = m* _i. 

If _K" is Galois (with Galois group C4), then the ideal (02) is equal to (ai) CT for 
some a generating the Galois group. Since complex absolute value squared is the 
same as the norm from K to its real quadratic subfield Ko, \ai \ — ^/p implies that 
\ a i \ = y/P- Since a" and a-z both generate (a.2) and have absolute value ^/p, we 
deduce that a." — ±02- Step 0c] ensures that this sign is positive, so ct\ and ai have 
the same characteristic polynomial hi(x), and thus the Frobenius element could be 
any of the elements output by Step [6l Since A\it(K/Q) is generated by a and 
a 2 is complex conjugation, we have output the Aut(if/Q)-orbit of the Frobenius 
element. 

If K is not Galois, then the Frobenius element must be either on or 57. Since 
Aut(_ft'/Q) in this case consists of only the identity and complex conjugation, Step 
[6] outputs the Aut(if/Q)-orbit of the Frobenius element. □ 

3. Constructing a generating set for Ok 

Given the Jacobian J of a genus 2 curve over F p and a primitive quartic CM 
field K, Algorithm 12.11 allows us to determine whether there is some ir 6 Ok 
that represents the Frobenius endomorphism of J. Since the complex conjugate if 
represents the Verschiebung endomorphism, if Algorithm 12.11 outputs true then we 
have 

(3.1) Z[7T,7F] C End(J) C Ok- 

In this section, we assume we are given a J/F p and a it such that (13. 1|) holds, and 
we wish to determine whether End( J) = Ok- 

Let B be a Z-module basis for Ok, and consider the collection of elements 
{a £ B\Z}. Since this collection generates Ok over Z[7r,7r], it suffices to determine 
whether or not each element of the collection is an endomorphism of J. Assuming 
K satisfies some mild hypotheses, Eisentrager and Lauter give one example of a 
basis B that suffices to determine the endomorphism ring |EL[ Lemma 6]. However, 
the method given in [EL] lacks an efficient procedure for testing whether a given 
a G B is an endomorphism of J. 

In this section, we derive from an arbitrary basis B a set of generators for Ok 
over Z[7r,7f] that are convenient in the sense that there is an efficient probabilistic 
algorithm (Algorithm 14.31 or Algorithm [5J]) for determining whether an element of 
the set is an endomorphism of J. Our findings are summarized in Proposition [XH] 

We begin by observing that since K = Q(7r), any a € Ok can be expressed as a 
polynomial / € Q[tt]- Since 7r satisfies a polynomial of degree 4 (the characteristic 
polynomial of Frobenius), / can be taken to have degree 3. We may thus write 

a Q + aiir + a 2 ir 2 + a 3 n 3 

(3.2) a = 

n 

for some integers <xq, a\, a%, 03, n. We assume that ao, ffli, d2> &3 have no common 
factor with n, so that n is the smallest integer such that na E 7L\k\. 

Remark 3.1. The LLL lattice reduction algorithm [LLL] . as implemented by the 
MAGMA command LinearRelation, finds an expression of the form (|3.2p for any 
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a 6 Ok ■ Given as input the sequence [1, tt, it 2 , it 3 , — a], the algorithm outputs a 
sequence [00,01,02,03,71] satisfying the relation (13. 2)1 . 



The following lemma shows that each a £ B \ Z can be replaced with a collection 
of elements that generate the same ring, each with a power of a single prime in the 
denominator of the expression (|3.2[) . 



Lemma 3.2. Let A C B be commutative rings with 1, with [B : A] finite. Suppose 
a e B, and let n be the smallest integer such that na £ A. Suppose n factors into 
primes as l^ 1 • • • tf r . Then 



A[a] = A 



■j-a 



Proof. Clearly the ring on the right is contained in the ring on the left, so we must 
show that a is contained in the ring on the right. It suffices to show that there are 
integers Ci such that 

( 3 - 3 ) c i^ + -" + c '-j7 = 

for then we can multiply this identity by a to get our result. We use the extended 
Euclidean algorithm and induct on r, the number of distinct primes dividing n. If 
r = 1 the result is trivial, for in this case n/if 1 = 1. Now suppose (|3 .3(1 holds 
for any n that is divisible by r distinct primes. If n! is divisible by r + 1 distinct 
primes, we can write n' — nl r T _yl for some n divisible by r distinct primes. Since 
£ r +i is relatively prime to n, we can use the extended Euclidean algorithm to write 
o-^r+i + bn = 1 for some integers a, b. We can then multiply the first term by the 
left-hand side of (|3.3|) (which is equal to 1) to get 

ndtt 1 n' n' , n' 

ac\ — j !-••• + ac r — -. h bn = ac\— -, — !-••• + ac r — -, — h b— -, — = 1. 

<-l t-r <-j 

This is an equation of the form (|3.3[) for nf, which completes the proof. □ 

The next lemma shows that only primes dividing the index [Ok ■ Z[7r]] appear 
in the denominators. 

Lemma 3.3. Let a be an element of Ok, and suppose n is the smallest integer 
such that na € Z[tt]. Then n divides the index [Ok ■ Z[7r]]. 

Proof. Let N = [Ok ■ Z[7r]]. By definition, N is the size of the abelian group 
0if/Z[7r]. Thus we can write any a £ Ok as a = a + b with b G Z[7r] and 
N ■ a £ Z[tt}. This shows that Ok is contained in j^Z[7r]. We may thus write 
a = f(w)/N for a unique polynomial / with integer coefficients and degree at 
most 3. Furthermore, since na is the smallest multiple of a in Z[7r], we may write 
a = g(ir)/n for a unique polynomial g with integer coefficients and degree at most 
3, such that n has no factor in common with all the coefficients of g. We thus have 
n ■ f(ir) — N ■ g(w). If we let d be the gcd of the coefficients of / and e be the gcd 
of the coefficients of g, then we have n ■ d = N ■ e. 

Let £ be a prime dividing e. Since gcd(n, e) = 1, I must divide d, so we can 
cancel £ from both sides and get n ■ d' = N ■ e' with e' < e. Proceeding in this 
manner until e' = 1, we conclude that n divides N. □ 
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We now know that each a £ B \ Z can be replaced with a collection of elements 
{■p-a}, and the only £j appearing are divisors of the index the index [Ok '■ Z[-7r]]. 

The following lemma and corollary show that for any £ which divides [Ok ■ Z[7r]] 
exactly (i.e. £ \ [Ok ■ Z[7r]] and £ 2 \ [Ok ■ Z[7r]]), the element |a can be replaced 
by an element of the form v 7' 1 . This replacement is useful since by |EL[ Fact 10], 

determining whether an element of the form w 7 l is an endomorphism is equivalent 
to testing the field of definition of the ^-torsion. 

Lemma 3.4. Let A C B C C be abelian groups, with [C : A] finite. Let £ be a 
prime, and suppose £ divides [C : A] and £ 2 does not divide [C : A]. Suppose there 
is some (3 £ B such that f3 £ A and £/3 £ A. Then for any a £ C such that £a 6 A, 
a £ B. 

Proof. The hypotheses on [C : A] imply that the ^-primary part of C/A (denoted 
(C/A)e) is isomorphic to Z/^Z, so {B/A)i is either trivial or 1,/tL. The conditions 
on (3 imply that (3 has order £ in B/A, so {B/A) t ~ Z/7Z = (C/A) e , with the 
isomorphism induced by the inclusion map B > C. Since a is in the ^-primary 
part of C/A, a must also be in the ^-primary part of B/A, so a £ B. □ 

Corollary 3.5. Suppose £ divides [Ok ■ Z[7r]] exactly and (3 = 7r 7 l £ Z[7r]. Then 

n r 1 is an endomorphism of J if and only if any a G Ok \ Z[7r] with £a € Z[7r] is 
also an endomorphism. 

Proof. The result follows directly from Lemma \3. 41 with A = 1\k\, B — End(J), 
and C = G K . □ 

Furthermore, if p \ [Ok '■ Z[7r,7f]], then any element Ui with denominator £i = p 
may be ignored due to the following corollary. 

Corollary 3.6. Suppose p \ [Ok ■ Z[7r,7f]]. Then for any a € Ok such that 
pa £ Z[7r], a £ Z[tt,W\. 

Proof. Since tt is the Frobenius element, it satisfies a characteristic polynomial of 
the form 

(3.4) tt 4 + sivr 3 + s 2 7T 2 + sip?r + p 2 = 0. 
Using 7T7f = p and dividing this equation by tt gives 

(3.5) 7T 3 + Sl7T 2 + S27T + S\p + pn = 0. 

From this equation we see that pW £ Z[7r], so either [Z[7r, 7f] : Z[7r]] =p or ¥ € Z[7r]. 
If ?f € Z[7r] then p divides the coefficients of the terms on the left hand side of 
()3.5p . which it does not, so we deduce that W £ Z[n] and [Z[tt,tt] : Z[n]] = p. The 
hypothesis p \ [Ok ■ Z[7r,7f]] thus implies that p divides [Ok ■ Z[7r]] exactly, so we 
may apply Lemma l3~4l with I — p, A — %\k\, B = 1\k, W], C = Ok, and f3 = w. □ 

Thus any a satisfying the conditions of the corollary is automatically an endo- 
morphism. We now show that the condition p \ [Ok ■ Z[7r, 7f]] is automatically 
satisfied for all primes p except possibly 2 and 3. 

Proposition 3.7. Suppose p > 3 and that n £ Ok corresponds to the Frobenius 
endomorphism of an ordinary abelian surface A over ¥ p . Then p \ [Ok ■ Z[tt, tt]]. 
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Proof. Let A(i?) denote the discriminant of a Z-module R. Christophe Ritzen- 
thaler pointed out that this proposition follows from |How[ Proposition 9.4], which 
shows that 

A(Z[7T,7f]) = ±Norm A7Q (7r-7f) A(Z[7r + 7f]). 
Alternatively, it is shown in |LPPi Proposition 7.4] that any prime that divides the 
index [Ok '■ Z[ir,W]] must divide either [Ok : Z[ir + T]} or — ^Sj^y^ ; an d, using 
}Howi Theorem 1.3], that the second quantity is prime to p if the abelian surface is 
ordinary. The same proposition also shows that A(Z[7r + 7t]) < 16p, and since 

a(o Ko ) -PKo-n-x+A] , 

we conclude that if p divides [Ok '■ Z[7r,7F]] then p 2 divides [Ok '■ ^[ 7T + k]] 2 , and 
thus 

, A(Z[7r + ¥l) 16p 

z < 1 — I J£ < £1 

P ~ A(Ok q ) 5 
(since a real quadratic field has discriminant at least 5), which implies p < 3. □ 

The following proposition summarizes the results of this section. 

Proposition 3.8. Suppose {a{\ generates Ok as & Z-algebra. Let rii be the 

smallest integer such that nidi G Z[7r], and write the prime factorization of rii 
as m — Ylj^ij*- For each with t%j ^ p, let k%j be an integer such that 

Tfkij _ l g IijOk- Suppose p > 3. Then the following set generates Ok over 



Zf7r, ir] : 



g-a, : 4 | [O k : Z[7r]]| U {^-^ = 4 t Pk : Z[tt]],^ ^ p} 



Remark 3.9. Proposition 13.81 shows that if p > 3 and the index [Ok ■ Z[7r, W]] 
is square-free, then Ok can be generated over Z[tt,tt] by a collection of elements 
of the form n ~ 1 . This answers a question raised by Eisentrager and Lauter [ELI 
Remark 5]. 

In our application, ir £ Ok is only determined up to an automorphism of K, 
but Proposition 13.81 can still be used to determine a generating set for Ok- 



Corollary 3.10. Let S C Ok be the set given in Proposition [37^ Let a be an 
element of Aut(Jf/Q). Then the set {(5 a : [3 S S} generates O k over Z[ir a , 7P 7 ]. 



Proof. By Proposition ^. 81 the set {71", 7f} U 5 generates Ok as a Z-algebra. Since 
O k is mapped to itself by Aut(K/Q), the set {7r CT , 7f CT }U{/3 cr : [3 € 5} also generates 
Oif as a Z-algebra. The statement follows immediately. □ 

4. Determining fields of definition 

In this section, we consider the problem of determining the field of definition 
of the n-torsion points of the Jacobian J of a genus 2 curve over F p . By )EL| 
Fact 10], the n-torsion points of J are defined over ¥ p k if and only if (ir k — l)/n 
is an endomorphism of J, where 7r is the Frobenius endomorphism of J. Thus 
determining the field of definition of the ^-torsion points allows us to determine 
whether some of the elements given by Proposition 13.81 are endomorphisms. 
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Algorithm 4.1. The following algorithm takes as input a primitive quartic CM 
field K, an element ir £ Ok with irW = p, and an integer n with gcd(n,p) = 1, and 
outputs the smallest integer k such that n k — 1 e uOk- If </ is the Jacobian of a 
genus 2 curve over F p with Frobenius ir a for some cr € Aut(if/Q) and End( J) = Cjf, 
this integer fc is such that the n-torsion points of J are defined over ¥ p k . 

(1) Compute a Z-basis B — (1,6, 7, K) of Ox, using |SW| or [Cohl Algorithm 
6.1.8], and write ir = (a,b,c,d) in this basis. Set k *— 1. 

(2) Let B be the reduction of the elements of B modulo n. Let (ax,b\,cx,d{) — 
(a, b, c, d) (mod n). 

(3) Compute ir k = (ak, bk,Ck,dk) (mod n) with respect to 

(4) If (ak,bk,Ck,dk) = (1,0,0,0) (mod n), output fc. Otherwise set k <— fc + 1 
and go to Step [3] 

Proof. The set 2? is a Z/nZ-basis of O^ /nOx , so if 7r fc = (1, 0, 0, 0) (mod n), then 
TT k — 1 E uOk (since the first element of B is 1). Since uOk is mapped to itself 

by Aut(Jf/Q), we have (-K a ) k - 1 G nO K . If End(J) = O k , then e O k = 

End(J), so by HQ Fact 10], J[n] C J(F p *). □ 

Remark 4.2. Since J[n] = © J[£ d ] for prime powers l d dividing n, we may speed 
up Algorithm 14.11 by factoring n and computing k(£ d ) for each prime power factor 
£ d ; then k(n) = lcm(fc(^ d )). Furthermore, we will see in Propositions 16.21 and 16.31 
below that for a fixed £ d , the possible values of k are very limited. Thus we may 
speed up the algorithm even further by prccomputing these possible values and 
testing each one, rather than increasing the value of k by 1 until the correct value 
is found. 



Eisentrager and Lauter |ELj computed endomorphism rings in several examples 
by determining the group structure of J(¥ pk ) to decide whether J[n] C J(¥ pk ) . This 
is an exponential-time algorithm that is efficient only for very small k. Eisentrager 
and Lauter also suggested that the algorithm of Gaudry-Harley [GH could be used 
to determine the field of definition of the n-torsion points. One of the primary 
purposes of this article is to present an efficient probabilistic algorithm to test the 
field of definition of J[n]. Below we describe the various methods of testing the 
field of definition of the n-torsion of J. Since J[n] = (J) J[£ d ] as £ d ranges over 
maximal prime-power divisors of n, it suffices to consider each prime-power factor 
separately. We thus assume in what follows that n — £ d is a prime power. 

4.1. The brute force method. The simplest method of determining the field of 
definition of the n-torsion is to compute the abelian group structure of J(F p k ) . The 
MAGMA syntax for this computation is straightforward, and the program returns 
a group structure of the form 

, ^ Z 
J(Fp>) - — ~ x •■■ x —7. 

with a\ I • • • I cij. The n-torsion of J is contained in J(¥ p k) if and only if j = 4 and 
n divides a±. 

While this method is easy to implement, if k is too large it may take too long to 
compute the group structure (via Baby-Step/Giant-Step or similar algorithms), or 
even worse we may not even be able to factor # Jac(C)(F p k ). In practice, computing 
group structure in MAGMA seems to be feasible for group sizes up to roughly 2 200 , 
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which means p should be no more than roughly 2 100 , and thus k will have to be 
very small. Thus the brute force method is very limited in scope; however, it has 
the advantage that in the small cases it can handle it runs fairly quickly and always 
outputs the right answer. 

4.2. The Gaudry-Harley-Schost method. Gaudry and Harley |GH| define a 
Schoof-Pila-like algorithm for counting points on genus 2 curves. The curves input 
to this algorithm are assumed to have a degree 5 model over F 9 , so we can write 
elements of the Jacobian as pairs of affine points minus twice the Weierstrass point 
at infinity. An intermediate step in the algorithm is to construct a polynomial 
R(x) € ¥ q [x] with the following property: if Pi and P 2 are points on C such that 
D = [Pi] + [P2] — 2 [00] is an n-torsion point of J, then the ^-coordinates of P\ 
and Pi are roots of R. The field of definition of the x-coordinates is at most a 
degree- two extension of the field of definition of D. Thus in many cases the field of 
definition of the n-torsion points can be determined from the factorization of R(x). 

Gaudry has implemented the algorithm in MAGMA and NTL; the algorithm 
involves taking two resultants of pairs of two- variable polynomials of degree roughly 
n 2 . The algorithm uses the clever trick of computing a two- variable resultant 
by computing many single- variable resultants and interpolating the result. The 
interpolation only works if the field of definition of J has at least 4n 2 — 8n + 4 
elements, so we must base extend J until the field of definition is large enough. 
Since R(x) has coefficients in F p , this base extension has no effect on the result of 
the computation. 

Gaudry and Har ley's analysis of the algorithm gives a running time of 0(n e ) field 
multiplications if fast polynomial arithmetic is used, and 0(n s ) otherwise. Due to 
its large space requirements, the algorithm has only succeeded at handling inputs 
of size n < 19 [GS] , 

4.3. A probabilistic method. As usual, we let J be the Jacobian of a genus 2 
curve over ¥ p k , and t ^ p be a prime. Let H be the ^-primary part of J(¥ p k). Then 
H has the structure 

z z z z 

~~ £ Q iZ X £ a 2l X £«aZ x e a *z' 
with ai < ct2 < &3 < otA- Our test rests on the following observations: 

• If the ^-torsion points of J are defined over ¥ p k, then a\ > d, and the 
number of £ -torsion points in H is £ 4d . 

• If the £ d -torsion points of J are not defined over ¥ p k , then a\ < d, and the 
number of .^-torsion points in H is at most £ 4d_1 . 

We thus make the following calculation: write #J(F p k) = l s m with I \ m. Choose 
a random point P E J. Then [m]P € H, and we test whether [l d m]P = O 
in J. If the £ d -torsion points of J are defined over ¥ p k, then [£ d m]P = O with 
probability p = g 4d ~ s , while if the £ d -torsion points of J are not defined over ¥ p k 
then [£ d m]P = O with probability at most pji. If we perform the test enough 
times, we can determine which probability distribution we are observing and thus 
conclude, with a high degree of certainty, whether the £ d -torsion points are defined 
over ¥ p k . 

This method is very effective in practice, and can be implemented for large k: 
while computing the group structure of J(¥ p k) for large k may be infeasible, it is 
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much easier to compute points on J(¥ p k) and to do arithmetic on those points. 
We now give a formal description of the algorithm and determine its probability of 
success. 

Algorithm 4.3. The following algorithm takes as input the Jacobian J of a genus 
2 curve defined over a finite field ¥ q , a prime power £ d with gcd(£, q) = 1, and a 
real number e <G (0,1). If J[£ d ) C J(¥ q ), then the algorithm outputs true with 
probability at least 1 — e. If J[£ d ] <£_ J{¥ q ), then the algorithm outputs false with 
probability at least 1 — e. 

(1) Compute #J(F g ) = £ s m, where £\m. If s < Ad output false. 

(2) Set p ^t"->,N^ l^M^lB^pN 

(3) Repeat N times: 

(a) Choose a random point Pi € J(¥ q ). 

(b) Compute Qi <- [£ d m]Pi 

(4) If at least B of the Qi are the identity element O of J, output true; 
otherwise output false. 

Proof. As observed above, if J[£ d ] C J{¥ q ), then Qi = O with probability p, while 
if J[£ d ] (Ji J{¥ q ), then Qi = O with probability at most p/£. Thus all we have to 
do is compute enough Qi to distinguish the two probability distributions. To figure 
out how many "enough" is, we use the Chernoff bound [Rosi Ch. 8, Prop. 5.3]. The 
version of the bound we use is as follows: If N weighted coins are flipped and p is 
the expected number of heads, then for any S € (0, 1] we have 

Pr[#heads < (1 - 6)p] < e^ 2 / 2 

(4-1) 

Pr[#heads > (1 + S)p] < e - " 5 /2 . 

In our case we are given two different probability distributions for the coin flip and 
wish to tell them apart. If the £ d -torsion points of J are defined over ¥ q , then the 
probability that Qi = O is p — £ 4d /£ s . Thus the expected number of Qi equal to 
O is pi — pN. If the £ d -torsion points are not defined over F g , then the expected 
number of Qi equal to O is at most p2 = pN/L Thus if we set B = pN(^j-) to 
be the midpoint of [p 2 ,pi], we will deduce that J[£ d ] C J(¥ q ) if the number of Qi 
equal to O is at least B, and J[£ d ] <f_ J(F g ) otherwise. 

We thus wish to find an N such that this deduction is correct with probability 
at least 1 — e, i.e. an N such that 

Pr[#{Q, : Qi = 0} < B] < e if J[£ d ] C J(¥ q ), 

<4 ' 2 ' Pr[#{Qi : Qi = O} > B] < e if J[£ d ] £ J(F 9 ). 



Substituting our choice of B into the Chernoff bound (|4.1[) gives 

Pr[#{Q, : Q t = 0} < B] < e - 2 ^(^) 2 if J[£*] c J(¥ q ), 

Pr[#{Q* : Q l = 0} > B] < e- 2 ^^) 2 if J[£ d ] £ J(¥ q ). 

From these equations, we see that we wish to have 2p\{^-) 2 > — loge and 
2p\{^-) 2 > —loge. The two left sides are equal since p 2 — ^\/£- We thus 
substitute p\ = pN into the relation 2/j, 2 (^jj-) 2 > — loge, and find that 



N> 7=2bg7 2£ 



p £-1 



12 



DAVID FREEMAN AND KRISTIN LAUTER 



Thus this value of N suffices to give the desired success probabilities. □ 

Remark 4.4. If s = 4c?, then the algorithm can be simplified considerably. In this 
case, if J[£ d ] C J(¥ q ) then the ^-primary part H of J(¥ q ) is isomorphic to (Z/^ rf Z) 4 , 
and if not then it contains a point of order greater than £ d . Thus if J[£ d ] C J{F) 
then Qi will always be the identity, and the algorithm will always return true. On 
the other hand, if J[£ d ] <£_ J(¥ q ), we may abort the algorithm and return false as 
soon as we find a point Qi ^ O, for in this case we have found a point in H of too 
large order, and thus the ^-torsion points are not defined over F g . If J[£ d ] <£_ J(¥ q ), 
then the probability that a random point in H has order < £ d is at most l/£, so 
we must conduct at least N — [ ^ o °y ] trials to ensure a success probability of at 
least 1 — e. Thus in this case the method may require many fewer trials. 

Remark 4.5. Note that while # J(F 9 ) may be very large, in our application where 
J is defined over a small prime field it is easy to compute # J(F g ) from the zeta 
function of the curve of which J is the Jacobian. Furthermore, while it is probably 
impossible to factor #J(F g ) completely in a reasonable amount of time, it is easy 
to determine the highest power of £ that divides #J(F 9 ). 

Proposition 4.6. Let J be the Jacobian of a genus 2 curve over ¥ p . Assume that 
the zeta function of J/¥ p is known, so that the cost to compute $=J(¥ p k) = £ s m 
is negligible. Then the expected number of operations in ¥ p necessary to execute 
Algorithm \4.3\ on J/¥ p k (ignoring log log p factors) is 

0(k 2 logk(\og 2 p)£ s ~ id (- \oge) 1/2 ) 

Proof. We must compare the cost of the two actions of Step [31 repeated N times. 
Choosing a random point on J(¥ q ) is equivalent to computing a constant number 
of square roots in ¥ q , and taking a square root requires 0(\ogq) field operations 
in ¥ q (see [GGl Algorithm 14.15 and Corollary 14.16]). The order of J(¥ q ) is 
roughly q 2 , so multiplying a point on J(¥ q ) by an integer using a binary expansion 
takes 0(\ogq) point additions on J(¥ q ). Each point addition takes a constant 
number of field operations in ¥ q , so we see that the time of each trial is 0(log q) = 
0(klogp). If fast multiplication techniques are used, then the number of field 
operations in ¥ p needed to perform one field operation in ¥ q is O (log g; log log g) = 
Oik log k \ogp) (ignoring log logp factors), so each trial takes Oik 2 log k log p) field 
operations in F p . The number of trials is 0(£ s ~ 4d : y '— loge), which gives a total of 
0(k 2 logk(log 2 p)£ s ~ M (- loge) 1 / 2 ) field operations in F p . □ 



5. Computing the action of Frobenius 

As in the previous section, we consider a genus 2 curve C over ¥ p with Jacobian J, 
and assume that the endomorphism ring of J is an order in the ring of integers Ok of 
a primitive quartic CM field K . We let 7r represent the Frobenius endomorphism, 
and we look at elements a E Ok such that £ d a E Z[ir] for some prime power 
£ d . We wish to devise a test that, given such an a, determines whether a is an 
endomorphism of J. 

Since n satisfies a quartic polynomial with integer coefficients, we can write a as 

ao + ai7r + a27T 2 + 037T 3 
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for some integers ao,&i,a2,&3. Expressing a in this form is useful because of the 
following fact proved by Eisentrager and Lauter |EL| Corollary 9]: a is an endo- 
morphism if and only if T = ao + a\TT + a^it 1 + a^w 3 acts as zero on the £ d -torsion. 
Thus we need a method for determining whether T acts as zero on the £ d -torsion. 
Since T is a linear operator, it suffices to check whether T(Qi) is zero for each Qi 
in some set whose points span the full £ d -torsion. Below we describe three different 
ways to compute such a spanning set. 

5.1. The brute force method. The most straightforward way to compute a span- 
ning set for the ^ d -torsion is to use group structure algorithms to compute a basis 
of J[£ d ]. This method was used in |EL] to compute the class polynomials in one 
example. The methods of Section 2] determine a k for which J[£ d ] C J(¥ p k). The 
computation of the group structure of J(¥ p k) gives generators for the group; multi- 
plying these generators by appropriate integers gives generators for the £ d -torsion. 
It is then straightforward to compute the action of T on each generator gi for 

1 < i < 4. If T{gi) = O for all i, then a is an cndomorphism; otherwise a is not an 
endomorphism. 

This method of computing a spanning set has the same drawback as the brute- 
force method of computing fields of definition: since the best algorithm for com- 
puting group structure runs in time exponential in klogp, the method becomes 
prohibitively slow as k increases. Thus the method is only effective when £ d is very 
small. 

5.2. A probabilistic method. The method of Section I5TT1 for computing gener- 
ators of J[£ d ] becomes prohibitively slow as the field of definition of the £ d -torsion 
points becomes large. However, we can get around this obstacle by randomly choos- 
ing many points Qi of exact order £ d , so that it is highly probable that the set {Qi} 
spans J[£ d \. 

Recall that we wish to test whether the operator T = ao + a\ix + a2^ 2 + fl37r 3 
acts as zero on the £ d -torsion. To perform the test, we determine the field ¥ p k over 
which we expect the ^-torsion to be defined. (See Section |U) We pick a random 
point P G J(Fpfc) and multiply P by an appropriate integer to get a point Q whose 
order is a power of I. If Q has order £ d , we act on Q by the operator T and test 
whether we get the identity of J; otherwise we try again with a new P. (See Section 
I5.3l for another method of randomly choosing ^ rf -torsion points.) We repeat the test 
until it is overwhelmingly likely that the points Q span the £ d -torsion. If the set of 
Q spans the ^-torsion, then a is an endomorphism if and only if T acts as zero on 
all the Q. 

Algorithm 5.1. The following algorithm takes as input the Jacobian J of a genus 

2 curve over ¥ q with CM by K, a prime power £ d with gcd(^, q) = 1, the element 
7r G Ok corresponding to the Frobenius endomorphism of J, an element a G Ok 
such that £ d a G Z[ir], and a real number e > 0. The algorithm outputs true or 
false. 

Suppose J[£ d ] C J(¥ q ). If a is an endomorphism of J, then the algorithm 
outputs true. If a is not an endomorphism of J, then the algorithm outputs false 
with probability at least 1 — e. 

(1) Compute ao, oi, <Z2, a 3 such that a satisfies equation ()5. 1|) . 
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(2) Set N to be 
N 



max{[-21og 2 el +6,16} if £ d = 2. 



(3) Compute #J(F g ) = £ s m, where £\ m. 

(4) Set i <- 1. 

(5) Choose a random point Pi € J(F q ). Set Qi <— [m]Pi. Repeat until [£ d )Qi — 
O and [t d - l )Qi ^O. 

(6) Compute 

(5.2) [a a }Qi + [ai] Probp(Qi) + [a 2 ] Frob p2 (Qi) + [a 3 ] Frob p 3(Q l ) 

in J(Fg). If the result is nonzero output false. 

(7) If % < N, set i <— i+ 1 and go to Step [3 

(8) Output true. 

Proof. By |EL[ Corollary 9] , a is an endomorphism of J if and only if the expression 
(|5.2p is O for all £ d -torsion points Q. Furthermore, it suffices to check the the 
expression only on a basis of the i -torsion. Step [5] repeats until we find a point Qi 
of exact order £ d ; the assumption J[£ d ] C J(F 9 ) guarantees that we can find such a 
point. The algorithm computes a total of N such points Qi. Thus if the set of Qi 
span J[£ d ], then the algorithm will output true or false correctly, according to 
whether a S End( J). We must therefore compute a lower bound for the probability 
that the set of Qi computed span J[£ d ]. 

To compute this bound, we will compute an upper bound for the probability 
that TV points of exact order £ d do not span J[£ d ]. We will make repeated use of 
the following inequality, which can be proved easily with simple algebra: if £, d, n, 
and m are positive integers with £ > 1 and n > m, then 

gmd £m(d— 1) ^ 

gnd _ £n(d-l) < g(n-m)d 

Next we observe that in any group of the form (Z/^Z)'", there are £ rd — ^ r ( d ^ 1 ) 
elements of exact order £ d . The probability that a set of N elements does not span 
a 4-dimensional space is the sum of the probabilities that all the elements span a 
j-dimensional subspace, for j = 1,2,3. We consider each case: 

• j = 1: All of the Qi are in the space spanned by Qx, and Q\ can be any 
element. The probability of this happening is 

od-i \ N - 1 / 1 \ N-i 



< 



£4d _ £±(d-l) J I £3d 

j = 2: Qi can be any element, one of the Qi must be independent of 
Qi, and the remaining N — 2 elements must be in the same 2-dimensional 
subspace. There are N — 1 ways to choose the second element, so the total 
probability is 

/ jOd _ p{d-l)\ N ~ 2 / 1 N N-2 



( N ^ I 1 £id _ £4(d-l) J [g4d _ £4(d~l) J < N ( £2d 



j = 3: Q\ can be any element, and there must be two more linearly inde 

V- 

2 



pendent elements; there are f 2 x ) ways of choosing these elements. The 
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remaining N — 3 elements must all be in the same 3-dimensional subspace, 
so the total probability is 



(JV-l)(JV-2) / l d -t d - X W £2c2_^2(d-l)\ / £ 3d_ £ 3(d-l)\ 

2 \ _ £4d _ ^4(d-l) J 1 _ £id ~ gi(d-l) J ( £id _ £i(d-l) J 



N-3 



N 2 ( 1 N W - 3 



N 2 I J_ \ < £-dAf+3d+Aflog f 2 



< 

Summing these three cases, we see that the total probability that the Qi do not 
span J[i d ] is bounded above by 

/ 1 N N ~ 3 

(5-4) N* [js 

Since 2 N > N 2 for N > 4, we have 

N-3 

J 3 , 

(Note that N > 4 must always hold if we want to have a spanning set of J[£}-) 
Setting this last expression less than e and taking logs, we find 

(5.5) N> 1 (-log £ e + 3d). 

a — log^ 2 

Thus if the number of trials N is greater than or equal to the right hand side of 
(|5.5p , then the probability of success is at least 1 — e. 

The right hand side of expression (|5.5[) is undefined if I = 2, d = 1, so we must 
make a different estimate. Since 2 N I 2 > N 2 for TV > 16, the estimate (j5.4[) bounds 
the probability of Qi not spanning J[i d ] by 

iV 2 1 

2JV-3 — 2^/2-3 ' 

Setting the right hand side less than e and taking logs gives 

(5.6) N > -2 log 2 e + 6. 

Thus if the number of trials TV is greater than or equal to the maximum of 16 and 
the right hand side of (|5.6[) . then the probability of success is at least 1 — e. □ 

Corollary 5.2. Let J, l d , a, and e be as in Alaorithm \5.1\ Suppose tt £ Ok is such 
that TT a corresponds to the Frobenius endomorphism of J for some a G Aut(if/Q). 
Suppose J[£ d ] C J(¥ q ), and suppose Alaorithm \5.1\ is run with inputs J, ¥ qi tt, a, 
e. If a" is an endomorphism of J, then the algorithm outputs true. If a a is not 
an endomorphism of J, then the algorithm outputs false with probability at least 
1 - e. 



Proof. If we write a in the form (|5.1[) . then we have 

(5.7) a = - d . 

Step [6] of the algorithm determines whether the numerator of this expression acts 
as zero on £ d -torsion points. By |EL| Corollary 9], this action is identically zero 
if and only if a a is an endomorphism of J. The statement now follows from the 
correctness of Algorithm 15.11 □ 
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Remark 5.3. Since Qi is an £ -torsion point in Step [6) we may speed up the 
computation of the expression (|5.2p by replacing each aj with a small representative 
of aj modulo £ d . We may also rewrite the expression (|5.2[) as 

[a ]Qi + FrobpO^Q, + Frob p ([a 2 ]Q l + Frobp([a 3 ]Qi))) 

to reduce the number of Frob p operations from 6 to 3. 

Remark 5.4. Algorithm 15.11 assumes that the £ d -torsion points of J are defined 
over ¥ q , so with enough trials we are almost certain to get a spanning set of points 
Qi. However, if the € d -torsion points are not defined over ¥ q , then the points Qi 
will span a proper subspace of J[^ d ]. If a is an endomorphism then T will act as 
zero on all of the Qi and Algorithm 15. II will output true. However, if a is not an 
endomorphism then T may still act as zero on all of the Qi (in which case it must 
have nonzero action on the ^-torsion points that are not defined over ¥ q ), and the 
algorithm will incorrectly output true. Thus to test whether a is an endomorphism, 
we must combine Algorithm 15.11 with a method of checking the field of definition of 
the £ d -torsion points, via the probabilistic method of Algorithm 14.31 or one of the 
other methods. 

Proposition 5.5. Let J be the Jacobian of a genus 2 curve over ¥ p . Assume that 
the zeta function of J/¥ p is known, so that the cost to compute #J(¥ p k) = I s m 
is negligible. Then the expected number of operations in ¥ p necessary to execute 
Alaorithm \5.1\ on J/¥ p k (ignoring log log p factors) is 

0{k 2 log fc(log 2 p)e s - id (~ log e)) 

Proof. Let q = p k . In the proof of Proposition 14.61 we computed that the cost 
of computing a random point on J(¥„) is 0(logq) operations in ¥ q , and the cost 
of a point multiplication on J(¥ q ) is O(logg) operations in ¥ q . The chance that a 

random point in the ^-primary part of J(¥ q ) has exact order £ is - — ^ , so the 

expected number of random points necessary to find one point of exact order l d is 
0(£ s ~ ). The cost of computing the Frobenius action is proportional to the cost 
of raising an element of ¥ q to the pth power, which is O(logp) F 9 -operations. 
We conclude that the expected cost of a single trial with a random point is 

0(log q + log q + logp)£ s - 4d M(q) 

operations in F p , where M(q) is the number of field operations in ¥ p needed to 
perform one field operation in ¥ q . If fast multiplication techniques are used, then 
M(q) = 0(log<7loglogg) = 0(k log k \ogp) (ignoring log log p factors), so each trial 
takes 0(k 2 log/c(log 2 p)£ s ~ 4d ) field operations in ¥ p . The number of points of ex- 
act order £ d computed is 0(— loge). Putting this all together gives a total of 
0{k 2 log/c(log 2 p)£ s - id {- loge)) field operations in ¥ p . □ 

5.3. The Couveignes method. Recall that to test whether an element a £ Ok 
of the form (|5.ip is an endomorphism of J, we determine whether the operator 
T = oq + aiir + a2TT 2 + a^Tr 3 acts as zero on all elements of a set {Qi} that spans 
J[£ d ]. Algorithm 15.11 computes the spanning set by choosing random points Pi in 
J(F p fc), multiplying by an appropriate m to get points Qi in the ^-primary part of 
J(Fpfc) (denoted J(¥ p k)e), and keeping only those Qi whose order is exactly £ d . If 
J(¥ p k)i is much larger than J[£], the orders of most of the Qi will be too large, 
and it will take many trials to find the required number of points of order exactly 
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I . To reduce the number of trials required, we would like to find a function from 
J(¥ p k )i to J[£ d ] that sends most of the Qi to points of exact order £ d . 

One way to compute such a function is as follows: compute the order £ li of each 
Qi', if ti > d send Qi i— > [^ t_rf ]Qi, otherwise send Qi i— ► O. In most cases the image 
has order £ d . However, since the multiplier £ li ~ d will be different for each Qi, this 
function does not define a group homomorphism, and thus the image of a set of 
points uniformly distributed in J{¥ p k)g will not be uniformly distributed in J[£ d ]. 

Couveignes |Couj has described a map that has the properties we want and is a 
group homomorphism. The idea is the following: if 7r fc — 1 6 ^ rf End(J), then there 
is an endomorphism (j> such that £ d (f> = tt — 1. Since ir k — 1 acts as zero on J(¥ p k), 
the image of <fi on J(¥ p k) must consist of ^-torsion points. Furthermore, the kernel 
of (j) contains £ d J(¥ pk ), since <j>(£ d P) = (7r fe - 1)(P) = if P is defined over ¥ pk . 
Thus we have a map 

<j> : J{¥ pk )/£ d J(¥ p k) -> J[f*]. 

Couveignes then uses the non-degeneracy of the Frey-Ruck pairing (see |Sch| ) to 
show that <j) is a bijection. Thus for any Qi not in £J(¥ p k), 4>{Qi) has order exactly 
£ d . Since is a surjective group homomorphism, the image of a set of points 
uniformly distributed in J(¥ p k) will be uniformly distributed in J[£ d ]. The chance 
that Qi £ £J(¥ p k) is l/£ 4 , so applying (j> to the Qi will very quickly give a spanning 
set of J[£ d \. 

However, there is one important caveat: we may not be able to compute <j>. The 
only cndomorphisms we can compute are those involving the action of Frobenius 
and scalar multiplication; namely, endomorphisms in Z[-7r]. Thus we need to take 
k to be the smallest integer such that ir k — 1 6 £ d "Z[Tr]. We can then use the 
characteristic polynomial of Frobenius to write <f> — ~ gd 1 — Mi 77 ), where M is 
a polynomial of degree 3. Furthermore, since we are applying (f> only to points 
Qi G J(¥ p k)i, we may reduce the coefficients of M modulo £ s and get the same 
action on the Qi. 

We have implemented the map 4> in Magma and tested it on the examples that 
appear in Section [9l In our examples, the smallest k for which n k — 1 G £ d Z[ir] is 
usually equal to £ko, where fco is the integer output by Algorithm 14.11 We found 
that the cost of choosing random points over a field of degree £ times as large far 
outweighs the benefit of having to reject fewer of the points Qi, so this technique 
does not help to speed up Algorithm 15. 11 



6. Bounding the field of definition of the £ -torsion points 

The running times of Algorithms 14.31 and 15.11 depend primarily on the size of 
the field ¥ p k over which the ^-torsion points of J are defined. In this section, we 
bound the size of k in terms of £ d and p. We also show that to determine the field 
of definition of the £ d -torsion points of J for d > 1 , it suffices to determine the field 
of definition of the ^-torsion points of J. This result allows us to work over much 
smaller fields in Algorithm 14.31 thus saving us a great deal of computation. 

By Lemma 13. 3( the prime powers £ d input to Algorithms 14.31 and 15.11 divide the 
index Z[7r,7f]. Thus a bound on this index gives a bound on the £ that appear. 
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Proposition 6.1. Let K be a primitive quartic CM field with discriminant A = 
A(Ok)- Suppose 7r 6 Ok corresponds to the Frobenius endomorphism of the Jaco- 
bian of a genus 2 curve defined over ¥ p . Then 

16» 2 

[0 K :Z[7r,7f] < ' 



A 

Proof. We showed in the proof of Corollarv l3.6l that [Z[ir, W] : Z[ir]] — p. Combining 
this result with the formula 

[0 K ■ Z[tt]] = [O k : Z[tt, tt]] [Z[tt, tt] : Z[tt]], 



we see that it suffices to show that [Ok : Z[7r]] < 16p 3 /\/A- (Note that A > by 
(Howl Proposition 9.4].) Next, recall that 



[O k : Z[tt]] = 



'A(ZW) 



A(Ok) 

It thus suffices to show that ^/A(Z[7r]) < 16p 3 . By definition, 
(6.1) a/A(Z[7t]) =JjK-a J 'U 

where ojj are the possible cmbcddings of 7r into C. Since 7r represents an action 
of Frobenius, all of the oti lie on the circle \z\ = The product (|6.1[) takes its 
maximum value subject to this constraint when the oti are equally spaced around 
the circle, which happens when the oti are ^fp times primitive eighth roots of unity. 
The maximum product is thus p 3 A(Q(£s)) = 16p 3 . □ 

Proposition 16.11 also follows directly from [LPPi Proposition 7.4], where it is 
proved in a different manner that y/ A(Z[tt, tt]) < 16p 2 . 

The next two propositions give tight bounds on the degree k of the extension 
field of F p over which the £ d -torsion points of J are defined. The first considers the 
case d = 1, and the second shows that as d increases, k grows by a factor of £ d ~ 1 . 

Proposition 6.2. Let J be the Jacobian of a genus 2 curve over F p; and suppose 
that End( J) is isomorphic to the ring of integers Ok of the primitive quartic CM 
field K . Let i ^ p be a prime number, and suppose ¥ p k is the smallest field over 
which the points of J[£] are defined. If £ is unramified in K , then k divides one of 
the following: 



i — I, if £ splits completely in K; 



1.2 



1, if t splits into two or three prime ideals in K; 



• £ 3 - £ 2 + £ - 1, if £ is inert in K. 

If £ ramifies in K, then k divides one of the following: 

• £ 3 — £ 2 , if there is a prime over £ of ramification degree 3 ; or if £ is totally 



ramified in K and £ < 3; 
£ 2 — £, in all oth 
multiplicities) ; 



• £ 2 —£, in all other cases where £ factors into four prime ideals in K ( counting 



• £ 3 — £, if £ factors into two or three prime ideals in K ( counting multiplic- 
ities). 
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Proof. Let tt 6 Ok correspond to the Frobenius endomorphism. By |EL( Fact 10], 
the ^-torsion points of J are defined over F p f= if and only if 7r fc — 1 £ £Ok- We 
observe that by the Chinese Remainder Theorem, this condition is satisfied if and 
only if 7r fc = 1 (mod p?*) for all primes pi | IOk, where is the ramification degree 
of pi. Next, we note that the condition £ ^ p implies that tt g" pi for all i. To 
see why this is true, suppose the contrary: tt S pi- Since ttW = p, we have p £ pi, 
contradicting the fact that pi is a prime over £ =/= p. 

From these observations we deduce that k is the least common multiple of the 
multiplicative orders of tt mod each p^ , and thus k must divide the least common 
multiple of 

^(Ok/pTOkY- =£fi(**-V(£fi-l), 

where fi is the inertia degree of pi. We now consider the various possibilities for 
the splitting of £ in Ok ■ 

First, suppose £ is unramified, so — 1 for all i. 

• If £ splits completely, then the inertia degrees of all the pi are 1, so k \ £—1. 

• If £ splits into two or three ideals, then at least one pi has /i = 2 and all 
have fi < 2, so k \ £ 2 - 1. 

• If £ is inert, then there is a single pi with fi = 4, and fc divides £ 4 — 1. We 
will return to this case below to get a better bound. 

Now suppose £ ramifies; there are six possibilities for the splitting of £ in Ok- 

• If £Ok = p 3 q, then p and q have inertia degree 1, so k divides £ 2 (£ — 1). 

• If £Ok = p 4 , then Ok/P — F^, and thus we have -k 1 ~ x = 1 + t for some 
t G p. There are now two subcases: 

- If I > 5, then (1 + r) e e 1 + p 4 , so tt^ 1 ) = 1 (mod p 4 ). Thus k 
divides £{£-!). 

— If £ = 2 or 3, then (1 + r) e = 1 + t £ (mod p 4 ), so we must raise the 
expression to the £th power again to get rid of the r e term. Thus 
n i 2 (l-i) = i ( mod and k d i v i des £2(1 _ i). 

• If IOk = p 2 q 2 or p 2 qr, then all of the primes in question have inertia degree 
1, so k divides 1). 

• If £Ok — p 2 q, then p has inertia degree 1 and q has inertia degree 2, so k 
divides lcm(£(£ - 1),£ 2 - 1) = £{l 2 - 1). 

• If £Ok = p 2 , then Ok/P — ^e 2 , and thus we have it 1 _1 = 1 + r for some 
rep. Then (Hrfell p 2 , so n e< - e = 1 (mod p 2 ). Thus k divides 
£(£ 2 - 1). 

Thus far we have used only the fact that tt is an algebraic integer, and we have 
not used the property that it represents the action of Frobenius. To get a better 
bound in the case where £ is inert in K, we recall that since tt is the Frobenius 
endomorphism, we have tttt = p, and K = Q(7r). Since £ is inert, reduction modulo 
I gives an injective group homomorphism 

M, t (%).Au l ((W/ (z/a) ). 

Furthermore, the target group is isomorphic to Gal(F£4/F£). This group is cyclic of 
order 4 and is generated by the £th-power Frobenius automorphism. Since complex 
conjugation has order 2 in Aut(_ftT/Q), its image under 4> must be the map a i— > a 1 . 
Thus 7f = tt 1 (mod £), and tt £ +1 = p (mod £). Since p must reduce to an element 
of , p has order dividing £ — 1 , so tt must have order dividing (£ 2 + !)(£— I). □ 
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The following proposition shows that in the cases we need for our application, 
the field of definition of the £ d -torsion points is determined completely by the field 
of definition of the ^-torsion points. 

Proposition 6.3. Let A be an ordinary abelian variety defined over a finite field F , 
and let £ be a prime number not equal to the characteristic of F. Let d be a positive 
integer, and let F' be the extension field of F of degree £ d ~ 1 . If the i-torsion points 
of A are defined over F, then the £ d -torsion points of A are defined over F' . If 
End(A) is integrally closed, then the converse also holds. 

Proof. Let R = End(A), and let tt £ R be the Frobenius endomorphism of F. By 
[EH Fact 10], for any positive integers t and k, the £*-torsion points of A are defined 
over the degree- fc extension of F if and only if 7r < ,7 1 £ R, i.e. ir k = 1 (mod £ f R). 
To prove the proposition, it suffices to show that 

tt = 1 (mod IR) t/^ 1 = 1 (mod £ d R), 

with (-4=) holding when R is integrally closed. 

First suppose that ir k = 1 (mod PR), with t > 1. Then we can write 7r fe = 1+Py 
for some y £ R. Then 

7T ki = l+£(£ t y)+Q(£ t y) 2 + ... + (e t yf, 

so ir ke = 1 (mod £ t+1 R). We conclude that if the points of A[£ l ] are defined over the 
degree-A: extension of F, then the points of A[^* +1 ] are defined over the degree-H 
extension of F. Thus if A[£] C A(F), then by induction A[£ d ] C A{F'). 

Now suppose that tt m = 1 (mod PR), with t > 2. Since A is ordinary, R is an 
order in a number ring. Thus if R is integrally closed then it is a Dedekind domain, 
and we may write £R = Y\pV uniquely for prime ideals pi C R. By the Chinese 
Remainder Theorem, n h = 1 (mod £ l R) if and only if ir k = 1 (mod p^ 4 ) for each 
i, so we may consider the problem locally at each pi. Localizing and completing 
the ring R at the prime pi gives a complete local ring R v with maximal ideal pi 
and valuation v satisfying v(£) — ej. 

By hypothesis, we may write ir M = 1 + y for some y € pP ■ We can define the 
£th-root function on R v to be 

(6.2) (l + y) 1 /^ex P Qlog(l + y)). 

By |Neu[ Proposition II.5.5], if y € pf * then log(l + y) e pT* ■ Since v{£) = e,-, we 
have v(j log(l + y)) > e, t {t — 1), so by the same Proposition (1 + y) 1 ! 1 converges 
and is in 1 + p- ,(t ~ 1} whenever (t - l){£ - 1) > 1. Thus if (t - 1)(£ - 1) > 1 then 

ir k = 1 (mod Pi i(t ~ 1} ). We conclude that if t > 2 or £ > 2 and the points of A[£ l ] 
are defined over the degree-k£ extension of F, then the points of v4[£ t_1 ] are defined 
over the degree-fc extension of F. If A[£ d \ C A(F'), then by descending induction 
A[£] C A(F) if £ is odd, and ^[4] C A(F 2 ) if £ = 2, where F 2 is the quadratic 
extension of F . 

It remains to show that if A[4] C A(F 2 ), then A[2] C A(F). This is equivalent to 
showing that if tt 2 — 1 € 4i? then tt — 1 G 2R. We prove the contrapositive: suppose 
tt — 1 ^ 2R. Then there is some prime p over 2 such that v p (ir — 1) < v p (2). Since 
tt + 1 = (n — 1) + 2 and v p (tt — 1) < v p (2), we must also have v p (n + 1) < v p (2). 
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Multiplying the two expressions gives v v (ir 2 — 1) < «p(4), so tt 2 — 1 cannot be 
contained in 4R. We conclude that tt 2 — 1 6 4i? implies tt — 1 £ 2R. □ 

Corollary 6.4. Let J 6e i/ie Jacobian of a genus 2 curve over ¥ p , and suppose that 
End(J) is isomorphic to the ring of integers Ok of the primitive quartic CM field 
K . Let £ d be a prime power with £ ^ p, and suppose ¥ p k is the smallest field over 
which the points of J[£ d ] are defined. Then k < 3p 6 . 

Proof. By Proposition 16.21 the points of J[£] are defined over a field F of degree 
less than £ 3 over F p . By Proposition 16. 3[ the points of J[£ d ] are defined over a field 
L of degree £ d ~ 1 over F. Since degrees of extensions multiply, we get 

k = [L : F p ] < £ d+2 < £ 3d . 

By Proposition 16.11 £ d < -y=p 2 , where A is the discriminant of the quartic CM 

v A 

field K. Lemma [6751 below shows that any primitive quartic CM field has A > 125, 
so £ d < -j=P 2 - Since k <£ 3d , we conclude that k <3p 6 . □ 

Lemma 6.5. Suppose K is a primitive quartic CM field. Then A(K) > 125. 

Proof. Since A(Q((5)) = 125, it suffices to show that no smaller discriminant can 
occur. The fact that A(JT) > follows from |How[ Proposition 9.4]. Now suppose 
A{K) < 125. Since A(K ) 2 \ A(K), we must have K = Q(y/2) or Q(V$), as 
these are the only two real quadratic fields with discriminant less than 12. Since 
Q(V2) has class number 1, by |Neu|, Proposition VI. 6. 9], Q(\/2) has no unramificd 
quadratic extensions, so A(JC) is strictly greater than A(iio) 2 - Thus if Kq — Q(V2) 
then A (if) > 128. 

We deduce that K = Q(\/5) and K must be of the form Q(i\/ a + by/E), with 
a, b, and a 2 — 5b 2 positive integers. Since K is primitive, a 2 — 5b 2 is not a square 
in Q and its square-free part divides A(K )/A(Kq) 2 . It thus suffices to show that 
the square-free part of a 2 — 56 2 is at least 5; this follows from the fact that 2 and 
3 are inert in Q(y5), so there are no integer solutions to a 2 — 5b 2 — 2 or 3. □ 

7. Computing Igusa class polynomials 

This section combines the results of all of the previous sections into a full-fledged 
probabilistic version of Eiscntrager and Lauter's CRT algorithm to compute Igusa 
class polynomials for primitive quartic CM fields [EH Theorem 1]. 

Algorithm 7.1. The following algorithm takes as input a primitive quartic CM 
field K, three integers Ai, A2, A3 which are multiples of the denominators of the three 
Igusa class polynomials, and a real number e > 0, and outputs three polynomials 
Hi, H2, H3 e Q[x]. With high probability, the polynomials Hi(x) output by the 
algorithm are the Igusa class polynomials for K . 

(1) (Initialization.) 

(a) Let D be the degree of the Igusa class polynomials for K, computed 
via class number algorithms, e.g. Coh, Algorithm 6.5.9]. 

(b) Compute an integral basis B for Ok, using e.g. [Cohl Algorithm 6.1.8]. 

(c) Set p «- 3, B <- 1, H U H 2 ,H 3 «- 0, F 1 ,F 2 , F 3 «- 0. 

(2) Set p <— NextPrime(p) until p splits completely in K and p splits into 
principal ideals in K* (the reflex field of K). 
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(3) (Finding the curves.) Set T 1 ,T 2 ,T 3 «- {}. For each (ii,^,^) € Fp, do the 
following: 

(a) Compute a curve C/¥ p with Igusa invariants (ii, £21*3)1 using the al- 
gorithms of Mestre [Mes] and Cardona-Quer |CQ| . 

(b) Run Algorithm 12.11 with inputs K, p, C. 

(i) If the algorithm outputs false, go to the next triple (ii, 12,^3)- 

(ii) If the algorithm outputs true, let ir be one of the possible Frobe- 
nius elements it outputs. 

(c) For each prime £ dividing [Ok '■ Z[7r,7r]], do the following: 

(i) Run Algorithm 14.11 with inputs K, £, ir. Let the output be k. 

(ii) Run Algorithm 14.31 with inputs Jac(C), ¥ p k, £, and e. If the 
output is false, go to the next triple (ii, ia, £3). 

(hi) If £ 2 divides [Ok '■ Z[7r, 7f]], then for each a £ B \ Z written in 
the form (|3.2|) with denominator n, do the following: 

(A) Let d be the largest integer such that £ d | n. If d = 0, go to 
the next a. 

(B) Set k' <- kl d ~ x . 

(C) Run Algorithm EH] with inputs Jac(C), F pfc ' , £ d , it, $a, e. 

(D) If Algorithm l5 . 1 l outputs false, go to the next triple 12, 13)- 
Otherwise go to the next a. 

(d) Adjoin i\, 12, 13 to the sets T\,T%,T3, respectively (counting multiplic- 
ities). 

(4) If the size of each set T\, T2, T3 is not equal to D, go to Step[H 

(5) (Computing the Igusa class polynomials.) For i £ {1, 2, 3}, do the following: 

(a) Compute F itP (x) = Aj Y\ jeTt (x - j) in ¥ p [x]. 

(b) Use the Chinese Remainder Theorem to compute F!(x) £ Z[x] such 
that F-(x) = Fi(x) (mod B), F-(x) = Fi_ p (x) (mod p), and the coef- 
ficients of F-(x) are in the interval [—pB/2,pB/2]. 

(c) If F((x) — Fi(x), output Hi(x) = X~ 1 F i (x). If H^x) has been output 
for all i, terminate the algorithm. 

(d) Set Fi{x)^F{(x). 

(6) Set B ^pB, and return to Step [2] 



Proof. In view of [EL, Theorem 1], it suffices to prove that Step [3c] correctly 
determines the set of curves with End(Jac(C)) = Ok- It follows from Section [3] 
that End(Jac(C)) = Ok if and only if each of the elements of the generating set 
listed in Proposition 13 . 81 is an endomorphism. 

By Algorithm 12.11 the tt computed in Step [3b] is such that ir a is the Frobenius 
element of Jac(C) for some a £ Aut(K/Q). By Corollary [3T0l End(Jac(C)) = O k 
if and only if (3 a is an endomorphism for each f3 in the generating set of Proposition 
ET51 Since elements of Aut(if/Q) preserve O k as a set, [O k ■ Z[7r CT , W a }] = [O k ■ 

Z[7T,7f]]. 

dividing [Ok 

-1 



For each 



Z[7T,7f] 



whether 



Steps 3(c)i and 3(c)ii test probabilistically 
is an endomorphism for an appropriate k. By Corollary 13.5 



for 



any such £ dividing [Ok ■ Z[7r,7r]] exactly, this suffices to determine whether |a a 
is an endomorphism for each a £ B\Z. 

By Corollary 15. 2[ if £ 2 divides [Ok ■ Z[7r,7r]] then Step 3(c)iii tests probabilis- 
tically whether is an endomorphism. The input uses the field F pk > because 
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Proposition 16.31 implies that if the £-torsion points are defined over ¥ p k , then the 
^-torsion points are defined over F pk > . □ 

Remark 7.2. Note that Step [5] differs from the corresponding step in |EI4 The- 
orem 1]. Our version of the algorithm minimizes the amount of computation by 
terminating the algorithm in Step [3c] as soon as the polynomials agree modulo 
two consecutive primes. For each prime pi in an increasing sequence of primes, 
we compute a polynomial Fi P (x) that is congruent to the Igusa class polynomial 
Hi{x) modulo the prime pi [ELJ Theorem 2]. We then use the Chinese Remain- 
der Theorem and the collection of polynomials {Fi^ p (x)} to compute a polynomial 
Fi(x) modulo bi = Yl]=iPj- If Fi{ x ) = Fi+i( x )> then with high probability the 
coefficients of Hi(x) are less than and thus Fi(x) is equal to Hi{x) itself. This 
conclusion is justified by the fact that if an integer n has the property that it is 
the same modulo bi and modulo then n = a% + nbi — aj+i + n+ibi+i, with 
<Zj < bi and at = flj+i- It follows that Pi+i divides r,. Since the probability of this 
happening for a random number r*j is the probability that all coefficients 

would simultaneously satisfy this congruence is (l/pi + i) D+1 , so most likely we have 
that actually r i+1 = for each coefficient. 

Remark 7.3. The Xi input into the algorithm can be taken to be products of primes 
bounded in [GLj , raised to a power that will be made explicit in forthcoming work. 
In practice, the power can be taken to be a small multiple of 6. 

Since we check after every prime pi whether the algorithm is finished, we do not 
need to know in advance the number of primes pi that we will need to use. Thus 
the only bounds that need to be computed in advance are the bounds on the 
denominators of the coefficients of the Igusa class polynomials. In particular, we 
do not need to have a bound on either the numerators or the absolute values of the 
coefficients. 

8. Implementation notes 

Our most significant observation is that in practice, the running time of the 
probabilistic CRT algorithm is dominated by generating p 3 curves for each small 
p. Steps (|3a[) and (|3T>[) of Algorithm 17.11 generate a list of curves C for which 
End(Jac(C)) is an order in Ok- Algorithms 14.31 and 15.11 determine which endomor- 
phism rings are equal to Ok- Data comparing the relative speeds of these two parts 
of the algorithm appear in Section [9] This section describes a number of ways to 
speed up Algorithm 17.11 which are reflected in the running times that appear in 
Section^ 

(1) If p and k are large, then arithmetic on J(¥ p k) is prohibitively slow, which 
slows down Algorithms 14.31 and 15.11 Since for various I dividing the index 
[Ok '■ Z[7r,7r]], the extension degrees k depend only on the prime p and 
the CM field K and not on the curve C, these extension degrees may be 
computed in advance (via Algorithm 14. 1[) before generating any curves. We 
set some bound N and tell the program that if the extension degree k for 
some i is such that p k > N, we should skip that p and go on to the next 
prime. For example, if K — Q(i\/l3 + 2VT3) and p = 53 (see Example 
19. 2|) . we have [Ok ■ Z[n,W]] — 3 2 • 43, and the 43-torsion of a Jacobian J 
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with End (J) = Ok will be defined over F p 924 , a field of over 5000 bits that 
is far too large for our current implementation to handle efficiently. 

(2) In a similar vein, since the speed of Algorithms 14.31 and 15.11 is determined 
by the size of the fields ¥ p k , for optimum performance one should perform 
these calculations in order of increasing k, so that as the fields get larger 
there are fewer curves to check. 

(3) Algorithms 14.31 and 15.11 take a single curve as input. In Algorithm 17.11 
those algorithms are executed with the same field K and many different 
curves, so any parameter that only depends on the field K and the prime 
p can be precomputed and stored for repeated reference. For example, the 
representation a = (osq + a\n + a27r 2 + a,3ir 3 )/n and the extension degrees 



k in Step 3(c)i can be computed only once. In addition, all of the curves 
that pass Step I3bl have one of a small number of given zeta functions. 
Since #J(F p fc) is determined by the zeta function, this number can also be 
computed in advance. 

(4) If F p k is small enough, it may be faster to check fields of definition using 
the brute force method of Section 14. 1( rather than Algorithm 14.31 If I 
is small (as must be the case for k to be small), then we often find that 
$=J(Wpk ) = I s m with s 3> 4d, and thus the number of random points needed 
in Algorithms 14.31 and 15.11 will be very large. While computing the group 
structure is an exponential-time computation, we find that if the group has 
size at most 2 200 , MAGMA can compute the group structure fairly quickly. 

(5) If Stcp[5c]has already output Hj(x) for some j, the roots of this polynomial 
mod p can be used as the possible values of ij in Step [3] This will greatly 
speed up the calculation of the Fi tP for the remaining primes: if one Hj has 
been output then only p 2 D curves need to be computed (instead of p 3 ), and 
if two Hj have been output then only pD 2 curves need to be computed. 

(6) In practice, for small primes p (p < 800 in our MAGMA implementation), 
computing #C(F p ) (StepEHof Algorithm EHJ) is more efficient than choos- 
ing a random point on J(F p ) and determining whether it is killed by one 
of the potential group orders (Step [5a] of Algorithm [2jJ, so these two steps 
should be switched for maximum speed. However, as p grows, the order of 
the steps as presented will be the fastest. 



9. Examples 

This section describes the performance of Algorithm 17.11 on three quartic CM 

fields: Q(n/2 + V2), Q(i ^13 + 2V13), and Q(za/29 + 2 v / 29). These fields arc 
all Galois and have class number 1, so the density of primes with the desired 
splitting behavior is maximal. The Igusa polynomials are linear; they have integral 
coefficients for the first two fields, and have denominators dividing 5 12 for the 
last. In all three examples, as p grows, the running time of the algorithm becomes 
dominated by the computation of p 3 curves for each p, whereas it was previously 
suspected that the the endomorphism ring computation would be the slow step in 
the CRT algorithm. A fast implementation in C to produce the curves from their 
Igusa invariants and to test the numbers of points would thus significantly improve 
the running time of the CRT algorithm. 
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Details of the algorithms' execution are given below. The algorithms were run 
on a 2.39 GHz AMD Opteron with 4 GB of RAM. The table headings have the 
following meaning: 

• p: Size of prime field over which curves were generated. 

• l d : Prime powers appearing in the denominators n of elements a input into 
Algorithms 14.31 and 15.11 when written in the form (|3.2[) . 

• k: Degrees of extension fields over which £ d -torsion points are expected to 
be defined. These are listed in the same order as the corresponding i d . 

• Curves: Time taken to generate p 3 curves and determine which have CM 
by K (cf. Algorithm EJ). 

• #Curves: Number of curves computed whose Jacobians have CM by K . 

• I4.3I & I5TT1 Time taken to run Algorithms 14. 31 and 15 . 1 1 to find the single curve 
whose Jacobian has endomorphism ring equal to Ok- 

Example 9.1. We ran Algorithm [7Tl with K = Q{i\/2 + and A x , A 2 , A 3 = 1. 
The results appear in Table 1. The last column of the table shows the intermediate 
polynomials Fi(x) computed via the Chinese Remainder Theorem in Step I5bl The 
algorithm output the Fi(x) listed for p — 151 as the Igusa class polynomials of K. 



Table 1. Results for Algorithm O run with K = Q(iy / 2 + V2) 
and Ai, A2, A3 = 1. 



p 


e d 


k 


Curves 


#Curves 


14.31 fc 15.11 


Fi(x) 


7 


2,4 


2,4 


0.5 sec 


7 


0.3 sec 


X + 2 

x + 5 
x + 6 
(mod 7) 


17 


4,8 


2,4 


4 sec 


39 


0.2 sec 


x — 54 
x + 19 
x - 8 
(mod 119) 


23 


2,4,7 


2,4,3 


9 sec 


49 


2.3 sec 


x + 1017 
x + 852 
x + 111 
(mod 2737) 


71 


2,4 


2,4 


255 sec 


7 


0.7 sec 


x - 75619 
x + 28222 
x - 46418 
(mod 194327) 


97 


4,8 


2,4 


680 sec 


39 


0.3 sec 


x - 8237353 
x + 9355918 
x + 9086951 
(mod 18849719) 


103 


2,4,17 


2,4,16 


829 sec 


119 


17.6 sec 


x + 104860961 
x ~ 28343520 
x - 9762768 
(mod 1941521057) 


113 


7,8,32 


6,4,16 


1334 sec 


1281 


28.8 sec 


x - 1836660096 
x - 28343520 
x - 9762768 
(mod 219391879441) 


151 


2,4,7,17 


2,4,6,16 


0.2 sec 


1 




x - 1836660096 
x - 28343520 
x - 9762768 
(mod 33128173795591) 



The total time of this run was 3162 seconds, or about 53 minutes. We observe 
that the polynomials F2 and F3 agree for p = 103 and p = 113. We deduce 
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that these polynomials are the correct Igusa polynomials, and following note ([5|) of 
Section we use their roots for the values of «2 and 13 for p = 151. Thus instead 
of computing 151 3 « 2 22 curves, we need to compute only 151 curves, out of which 
we can easily choose the right one. As a result, the computation for p = 151 takes 
practically no time at all. The same phenomenon also appears for the last prime 
in Examples 121 and l9~3l 

Example 9.2. We ran Algorithm IP with K = + 2VT3) and Ai, A 2 , A 3 = 

1. The results appear in Table 2. The algorithm output the following Igusa class 
polynomials: 

x - 1836660096, x - 28343520 x - 9762768. 
The total time of this run was 6969 seconds, or about 116 minutes. In this ex- 
ample we skip some primes because Algorithms 14.31 and 15 . 1 1 would need to compute 
in fields which are too large to be practical. In particular, for p = 29, 53, 107, 139, 
the algorithms would run over extension fields of degree 264, 924, 308, 162, all of 
which have well over 1000 bits. Skipping these primes has no effect on the ultimate 
outcome of the algorithm. 



Table 2. Results for Algorithm O with K = Q(i y/l3 + 2VT3) 
and Ai, A2, A3 = 1. 



p 


i d 


k 


Curves 


# Curves 




29 


3,23 


2,264 








53 


3,43 


2,924 








61 


3 


2 


167 sec 


9 


0.2 sec 


79 


27 


18 


376 sec 


81 


8.1 sec 


107 


9,43 


6,308 








113 


3,53 


1,52 


1118 sec 


159 


137.2 sec 


131 


9,53 


6,52 


1872 sec 


477 


127.4 sec 


139 


9,243 


6,162 








157 


9,81 


6,54 


3147 sec 


243 


16.5 sec 


191 


3,4,8 


2,2,4 


0.2 sec 


1 





Example 9.3. We ran Algorithm Q with K = Q(i"\/29 + 2^29) and Ai, A 2 , A 3 = 
5 12 . The results appear in Table 3. The algorithm output the following Igusa class 
polynomials: 

„ _ 2614061544410821165056 , 586040972673024 , 203047103102976 

x 512 1 x -f - 6 j ^ ~r 56 

The total time of this run was 56585 seconds, or about 15 hours, 43 minutes. 
In this example we again skip some primes because the fields input to Algorithms 
14.31 and [STTI would be too large. We also note that for p = 7, Ok = Z[7r,7f], so any 
curve over F7 that has a correct zeta function already has CM by all of Ok, and 
we do not need to run Algorithms 14.31 and 15.11 
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Table 3. Results for Algorithm O with K = Q{i\/W+2^W) 
and Ai, A 2 , A 3 = 5 12 . 



p 


i d 


k 


Curves 


# Curves 




7 






0.3 sec 


1 




23 


13 


84 


9 sec 


15 


70.7 sec 


53 


7 


6 


105 sec 


7 


0.5 sec 


59 


4 5 8 


2 12 4 


164 sec 


322 


6.4 sec 


83 


3,5 


4,24 


431 sec 


77 


9.8 sec 


103 


67 


1122 








107 


7,13 


6,42 


963 sec 


105 


69.3 sec 


139 


7,25 


2,60 


2189 sec 


259 


62.1 sec 


181 


9,27 


6,18 


84 min 


161 


3.6 sec 


197 


5,109 


24,5940 








199 


25 


60 


106 min 


37 


1355.3 sec 


223 


4,8,23 


2,4,22 


174 min 


1058 


35.1 sec 


227 


109 


1485 








233 


5,7,13 


8,3,28 


193 min 


735 


141.6 sec 


239 


7,109 


6,297 








257 


3,7,13 


4,6,84 


286 min 


1155 


382.8 sec 


277 


5,7,23 


24,6,22 


0.3 sec 


1 





Remark 9.4. The data in Examples 19. li 19.21 and 19.31 suggest that odd primes 
dividing the index [Ok '■ Z[7T, If]] always split in Ok , the ring of integers of Kq. 
In fact the factorization of the index [Ok ■ Z[7r,7f]] was given in |EL| Proposition 
5] for primitive quartic CM fields K when Kq has class number 1. We write 7r = 
ci + c 2 Vd + (C3 + c^\fd)r\, where the Cj are rational numbers with only powers of 
2 in the denominators and r\ = i\J a + b\fd with a, b, d € Z, d > and square-free. 
Then the index is, up to powers of 2, the product of c 2 with {c 2 — c\d), where c 2 
is the index of Z[7r + 7f] in Ok up to a power of 2. If a prime divides (c 2 — c 2 d) 
exactly, i.e. the square of the prime does not divide it, then the prime splits in Kq. 
Thus primes different from 2 dividing the index [Ok ■ Z[7r,7r]] exactly either split 
in Ko or divide the index [Ok : Z[7r + 7f]. So except possibly for primes dividing 
c 2 , no odd primes dividing the index [Ok ■ %[tv,tt]] exactly are inert or totally 
ramified in K. If K is Galois, then this is enough to ensure that the extension 
degree k determined by Proposition 16 . 21 is at most i 2 . This agrees with the data in 
our examples, all of which considered Galois fields. 

In practice, if a prime £ is inert or totally ramified in K, it would almost certainly 
be skipped anyway, since Proposition 16.21 shows that the ^-torsion may be defined 
over an extension field of degree k ~ £ 3 , which is too large to be practical (cf. Note 
(fTJ) of Section [5]). However the theoretical running times of Algorithms 14.31 and 15. 1[ 
given by Propositions 14.61 and 15.51 respectively, improve if inert or ramified primes I 
are not considered. The slow step of both algorithms is computing a random point 
on J(F p fc), which takes roughly 0(k 2 logfc(logp) 2 ) ¥ p operations. Since the bound 
on t is p 2 , if k is bounded by I 2 instead of £ 3 , this step would run in 0(p 8 log 3 p) 
instead of 0(p 12 log 3 p) time. 
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